Contrarisk Security Podcast #0026: Evolving DDoS

Distributed Denial of Service (DDoS) attacks have been with us for a long time. But is the nature of the attacks evolving, and how is this presenting new threats?

We’re all too familiar with DDoS being exploited for hacktivism, political purposes and for extortion. But, in this interview, Dave Larson, CTO of Corero Network Security, explains how we’re also now seeing more hybrid attacks in which DDoS is used to mask more sinister and significant exploits – such as malware infection or data exfiltration.

Spotting that this is going on isn’t easy unless your systems are properly instrumented and configured to capture all the relevant metadata related to the attack. And even then, making sense of what’s going on can be tricky. It’s a big data problem – teasing out the significant data while you’re also busy firefighting the attack. And a lot of organisations have neither the technical resources nor the skills to deal with this.

In addition to specific DDoS defences, you also need protections around your data that protect regardless of the nature of the attack. And, above all, you need threat intelligence derived from the kinds of systems that alert you to, for example, probes against your networks, synthesised with event information from the likes of firewalls, IPS etc. And all of this needs to be coordinated in near real time through an analytics engine.

Volumetric attacks are increasing in scale and effectiveness, Larson says, mainly because of vulnerable services out there, such as badly configured NTP or DNS servers. “It’s virtually free to launch massive-scale attacks,” he explains.

And there’s another growing problem. As organisations move more and more of their IT capability to shared datacentres and cloud services, it’s becoming more common for them to suffer from DDoS even if they are not the intended target.